You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Register a free account to unlock additional features at BleepingComputer.com

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Hello people. I'm really hoping you can help me, it's starting to take a toll on my health, it would seem.

The computer is a Dell desktop, with 4 profiles: Mine, one each for my parents, and one for my sister. My sis's is restricted, while the others are administrators. I was using mine at the time.

The other day I was browsing on the internets normally. I can't recall going anywhere fishy. Perhaps the closest is when I tried to download a YouTube video from a site I'd never been to before...

Unexpectedly, a box popped out to ask me to install Antivirus XP 2008. I assumed it was a pop up, but didn't see any X or whatever. I looked down at the tray, and the box for the installation had the logo next to it from running a .exe file. I right clicked that and did Close. It didn't respond, and the Not Responding box came up. I clicked End Now. A little while later it popped up again. This time I just opened the task manager and ended the process.

I assumed everything was fine.

When I was done on the computer, I closed FireFox and was horrified to see the background changed to a horrid blue, with "Warning! Spyware detected on your PC!" in a yellow and blue box in the middle. I right clicked for the properties, but Desktop and one other, I think it was appearances, were missing. I looked on the internet about that problem, and some people recommended SuperAntiSpyware. I downloaded it and ran it, then went to watch tv with a sinking feeling. I believe at the time already the internet was running slowly, and certain websites were 404s.

I went back to the computer before bed, but it all seem to have messed up, like it was tying to log me off. There also seemed to be a blue screen of death. I turned off the computer, feeling really bad. The next morning, I tried to turn on the computer to run the SAS again. I decided to see if the background problem was only on my profile(stupidly) and opened my dad's. I breathed a sigh of relief when it was his normal background, but then did facepalm when it turned to the blue one.

I believe I tried to run the SAS, but nothing would respond. I turned off the computer, then turned it out again. When it got to the part where it says, "Windows is starting up..." before the profile selection, it was stuck. I began feeling more distraught. I turned on the comp in Safe Mode and ran SAS. it found stuff, but didn't solve the problem.

I looked on Google on my laptop about Antivirus XP 2008, and deleted a fishy sounding C:/Program Files/(random letters and numbers).

Then I searched the C:/Windows for the .bmp file for the Spyware Detected image. I deleted that, and searched for everything that had the last 4 characters of it and deleted those. I also found the same thingy in msconfig, and unchecked it. I looked in regedit and deleted the registry(I hope). I changed the registry values of the Desktop thing, and restarted my comp in normal mode.

I used my profile this time, and was able to load and not freeze up. I was pleased to see that I was able to change the wallpaper, and had the tabs back in the properties menu.

However, I opened FireFox and searched Google for Antivirus XP 2008 again, to see if I forgot anything, but I saw that all the results would redirect me. Some sites are still 404s, and it's running slow as molasses. I found a direct download of Malwarebytes, which I heard could finish it off, but when I tried to run the .exe, it said the setup was corrupted.

What can I still do to fix this? I was going to do a system restore, but apparently the computer never made one. I am willing to reformat, but only as a last resort, and if I'm able to back up all the emails of my mom's, and documents and stuff.

Your help is appreciated. It's really making me sad all the time now, and having a feeling of hopelessness, especially since I'm one of the most computer savvy people I know in real life. Perhaps it also seems bad to me, because I'm really clean and safe and stuff on that desktop, while on my laptop I can be risky, yet it still works fine. (Except for not allowing login pages like eBay, Hotmail, Yahoo, etc. to work, but I suppose that's another thread.)

Let's start with a couple of things... Please try to redownload Malwarebytes again. If you have to, try one of the alternate download sites listed below. If you are unable to get a good copy, try downloading MBAM with another computer. Be sure to download the updates as well. We can save it to a flash drive. Please also post the result of your SAS log.

If you are sucessful with the MBAM download, run the following procedure:

When the installation begins, follow the prompts and do not make any changes to default settings.

When installation has finished, make sure you leave both of these checked:

Update Malwarebytes' Anti-Malware

Launch Malwarebytes' Anti-Malware

Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.

If an update is found, the program will automatically update itself.

Press the OK button to close that box and continue.

If you encounter any problems while downloading the updates, manually download them fromhereand just double-click on mbam-rules.exe to install.

On the Scanner tab:

Make sure the "Perform Quick Scan" option is selected.

Then click on the Scan button.

If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.

The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.

When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".

Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

Click on the Show Results button to see a list of any malware that was found.

Make sure that everything is checked, and click Remove Selected.

When removal is completed, a log report will open in Notepad.

The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.

Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Reagardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. – Will Smith

Sorry it took me a while to get to this, it's been bothering me, so I've been stalling and what not.

Ok, I turned on the computer, logged onto my profile, then it froze. I restarted, went to the "Windows is starting up," and froze. Then I restarted in Safe Mode and searched for the same string of characters as the previous stuff (started with lhpc or similar), deleted a registry file and folder with that name. I was able to start in normal mode now. though I put the startup config to diagnostic, in case.

I tried those 3 links, but they were all blocked, so I downloaded it onto a usb drive and plugged it in. Thank heavens it was able to install. I scanned with MWB, and it came up with 296 objects infected.

I'm about to remove them and post the log. In real time!

Blimey, that's a lot of &#^@. Hitting Remove Selected!

Quarantining at the mo'. Dang, I'm nervous. It'd better work.

Ok, the log popped up. Oh noes, I can't just copy and paste, so I guess I'll have to transfer the .txt file.

Closed, the log, going to have to find the folder.

Certain items could not be removed! Noooooo!!! Aight, it says I have to reboot. Here I goes.

Ok, it's restarted without a problem (that I can see). Except the tool bar and program windows are vintage Windows 98 looking...

Oh great, now the flash drive won't work.

Now I'm going to run MWB and SAS again to check for anything, then I'm going to restart with all drivers and stuff, since I think it's still in diagnostic.

I tried to do a full system scan with MWB, but my computer was making horrible noises, and the scan was going rather slowly, so I canceled it, then restarted, forgetting to do an SAS sweep, which I shall do now. Though with the full drivers, the display is normal.

SAS came back with 34 detected items. Rebooting to delete.

Apparently, I accidentally deleted the MWB log with all the removed stuff, and the other one I have is clean. I do have the SAS log I just did, though, so I'll put that at the end of the post.

Hmm, Norton just came up with some, "Norton blocked Trojan.Killv" or something like that.

It says the last quick scan was today, which I guess is where it just found that one. And the last full scan was the 20th, when I got infected initially. I doubt it actually full ran, though, because it only had a few thousand files, and didn't take very long.

After scanning 389,000 files, I think that it rather complete, lol.

"3 total security risks detected"

2 were resolved automatically, I suppose I need to fix the other.

Simply a low risk Tracking Cookie. And now it is destroyed.

I believe everything has pretty much been done on the scanning side of the house. Now to see how the internet works.

Haha! Bleepingcompter and other such tech sites all work! And Google isn't trying to redirect me! At normal speeds even!

I love you, rigel!

Now do you have any suggestions on anything else I should do before going back to normal surfing?

Adware.Tracking Cookie C:\Documents and Settings\Austin\Cookies\austin@insightexpressai[2].txt C:\Documents and Settings\Austin\Cookies\austin@cgi-bin[2].txt C:\Documents and Settings\Austin\Cookies\austin@www.sex4it[1].txt C:\Documents and Settings\Austin\Cookies\austin@counter7.sextracker[1].txt C:\Documents and Settings\Austin\Cookies\austin@doubleclick[1].txt C:\Documents and Settings\Austin\Cookies\austin@questionmarket[1].txt C:\Documents and Settings\Austin\Cookies\austin@ads.pointroll[1].txt C:\Documents and Settings\Austin\Cookies\austin@serviceswitching[1].txt C:\Documents and Settings\Austin\Cookies\austin@statcounter[1].txt C:\Documents and Settings\Austin\Cookies\austin@msnportal.112.2o7[1].txt C:\Documents and Settings\Austin\Cookies\austin@ad.yieldmanager[2].txt C:\Documents and Settings\Austin\Cookies\austin@serving-sys[2].txt C:\Documents and Settings\Austin\Cookies\austin@sales.liveperson[2].txt C:\Documents and Settings\Austin\Cookies\austin@bluestreak[2].txt C:\Documents and Settings\Austin\Cookies\austin@atdmt[2].txt C:\Documents and Settings\Austin\Cookies\austin@license.nmp.neuroticmedia[1].txt C:\Documents and Settings\Austin\Cookies\austin@neuroticmedia[2].txt C:\Documents and Settings\Austin\Cookies\austin@sales.liveperson[3].txt C:\Documents and Settings\Austin\Cookies\austin@mediaplex[1].txt C:\Documents and Settings\Austin\Cookies\austin@cs.sexcounter[2].txt C:\Documents and Settings\Austin\Cookies\austin@maxserving[2].txt C:\Documents and Settings\Austin\Cookies\austin@mywebsearch[1].txt C:\Documents and Settings\Austin\Cookies\austin@specificclick[1].txt C:\Documents and Settings\Austin\Cookies\austin@bs.serving-sys[1].txt C:\Documents and Settings\Austin\Cookies\austin@counter2.sextracker[1].txt C:\Documents and Settings\Austin\Cookies\austin@trafficmp[2].txt C:\Documents and Settings\Austin\Cookies\austin@2o7[2].txt C:\Documents and Settings\Austin\Cookies\austin@sextracker[2].txt C:\Documents and Settings\Austin\Cookies\austin@perf.overture[1].txt C:\Documents and Settings\Austin\Cookies\austin@tripod[1].txt C:\Documents and Settings\Austin\Cookies\austin@media6degrees[2].txt C:\Documents and Settings\Austin\Cookies\austin@counter5.sextracker[1].txt C:\Documents and Settings\Austin\Cookies\austin@counter14.sextracker[1].txt

Connect to the Internet and double-click on OTMoveIt2.exe to launch the program again.

Click on the green CleanUp! button.

When you do this, a text file named cleanup.txt will be downloaded from the Internet.

If you get a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the Internet, please allow the connection.

After the text file has been downloaded, you will be asked if you want to Begin cleanup process?

Select Yes.

-- Note: Doing this will remove any specialized tools (including this one) downloaded and used. All other programs should be kept on your machine and used on a regular basis.

Then if there are no more problems or signs of infection, you should Create a New Restore Pointto prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

Then use Disk Cleanup to remove all but the most recently created Restore Point.

Go to Start > Run and type: Cleanmgr

Click "Ok"

Disk Cleanup will scan your files for several minutes, then open.

Click the "More Options" Tab.

Click the "Clean up" button under System Restore.

Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"

Click Yes, then click Ok.

Click Yes again when prompted with "Are you sure you want to perform these actions?"

• Avoid gaming sites, underground web pages, pirated software sites, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to asmörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.